Some HJT Usage Tips
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
Here's how I figure out how to delete things:
I run HJT 2-3 times, in safe mode, after updating it online, and if I am running it on a 2000 or XP box, I run it as admin user also.
Pass one, I always kill any line that has (noname) AND (missing file) in it. These are actually junk entires about 99% of the time.
Pass Two, I look for files with RANDOM names, many viruses use random named .exe files as runnables. For a new HJT user, backup what you kill on this pass.
Examples:
ccApp.exe is NOT a random name, Symantec uses cc for the common client parts of its software, these should be in a folder that has the name Symantec and has \Common Client\ in the path.
fsibkvbg.exe is a random .exe (I typed in a random name not known to be used by legit apps) I would delete and BACK UP with HJT. Look for totally random names here, anything that looks like it might belong in place where it lives now, web research (google can search ccApp.exe and one of the top results will tell you it is a Symantec app, and a totally random name will yeild one of two things-- a virus info page, or a nothing result) or post a log here or BOTH, and wait to delete without backing up.
Pass three is more complex, I run HJT AFTER also running Adaware 6.0 and SpyBot S&D 1.3 in safe mode after getting them and updating them while computer is on the web, print log, go online from a different computer, and research the rest, and highlight those things I cannot find on google and those that do not result in legit app results. For a new user, I would suggest posting the third pass log here.
When done with HJT, please also run AdAware 6.0 and SpyBot S&D 1.3 one more time each, in safe mode and as admin if you are working on a box running 2000 or XP. This can catch leftovers.
This thread I am leaving open, folks with tips to add are welcome, we can catch minor errors this way and post corrections. I am requesting that any mods who see major errors in this post both fix this and notify me in PM as to why or email me. Primesuspect has my email addresses, multiple, and my email pickups are frequently on-- more often on than off.
If anyone here wants to write a howto for a killing process def a new user of HJT can use, this content can be used with or without attribution and is released to the public domain totally-- it can be combined into a revised howto if wanted, also. I "hate viruses" that bad...
I will probably summarize the result of this thread somewhere in a security area on my site also, so folks here can link to it. If I get and use contribs, will ask for permission to use and attribute to users with this site's user ID and site name and link to this thread.
I run HJT 2-3 times, in safe mode, after updating it online, and if I am running it on a 2000 or XP box, I run it as admin user also.
Pass one, I always kill any line that has (noname) AND (missing file) in it. These are actually junk entires about 99% of the time.
Pass Two, I look for files with RANDOM names, many viruses use random named .exe files as runnables. For a new HJT user, backup what you kill on this pass.
Examples:
ccApp.exe is NOT a random name, Symantec uses cc for the common client parts of its software, these should be in a folder that has the name Symantec and has \Common Client\ in the path.
fsibkvbg.exe is a random .exe (I typed in a random name not known to be used by legit apps) I would delete and BACK UP with HJT. Look for totally random names here, anything that looks like it might belong in place where it lives now, web research (google can search ccApp.exe and one of the top results will tell you it is a Symantec app, and a totally random name will yeild one of two things-- a virus info page, or a nothing result) or post a log here or BOTH, and wait to delete without backing up.
Pass three is more complex, I run HJT AFTER also running Adaware 6.0 and SpyBot S&D 1.3 in safe mode after getting them and updating them while computer is on the web, print log, go online from a different computer, and research the rest, and highlight those things I cannot find on google and those that do not result in legit app results. For a new user, I would suggest posting the third pass log here.
When done with HJT, please also run AdAware 6.0 and SpyBot S&D 1.3 one more time each, in safe mode and as admin if you are working on a box running 2000 or XP. This can catch leftovers.
This thread I am leaving open, folks with tips to add are welcome, we can catch minor errors this way and post corrections. I am requesting that any mods who see major errors in this post both fix this and notify me in PM as to why or email me. Primesuspect has my email addresses, multiple, and my email pickups are frequently on-- more often on than off.
If anyone here wants to write a howto for a killing process def a new user of HJT can use, this content can be used with or without attribution and is released to the public domain totally-- it can be combined into a revised howto if wanted, also. I "hate viruses" that bad...
I will probably summarize the result of this thread somewhere in a security area on my site also, so folks here can link to it. If I get and use contribs, will ask for permission to use and attribute to users with this site's user ID and site name and link to this thread. 0
Comments
The latest HJT (AFIAK this is version 1.97+) installs by default to(on some versions of Windows):
(boot drive):\Program Files\Hijack This!\ and that will work. It sticks the backups in a folder \Backup\ attached to default path. Just define a default install path if you want a special place, when you load it. Desktop is not a good place, nor is a system or system32 directory, the Program Files directory works fine.
Seth, I understand why you ware saying this, an easy to remember place is an easy to find place, but the latest version makes its own home for backups by default at install time.
If a user loses track of the backups folder, search for this in the file finder\searcher:
*.reg
Then look for a result path with hjt or Hijack This! in it that has a lot of .reg files in it. To apply the reg files, double-click the folder result you want to open a My Computer folder browsing window for, as admin on XP or 2000 (with ME and back, ignore admin part), double-click the ones you want reapplied, one at a time (you might or might not get a VISIBLE response to this(XP commonly will ask you if you are sure you want this done), DYN-DATA registry update keys will be written). When done, restart computer from within Windows. The DYN-DATA registry update pokes from the reg updates you forced by double-clicking the .reg files you want reloaded will then be commited. You will get your visible response at restart time, Windows will tell you it is applying changes and\or just say it is changing settings, in white on black DOS look screen, and if you see nothing of this and the Windows startup splash page appears, simply press ESC key once when splash screen appears to see this (OEMs CAN mask this from working, stock Windows right from Miscrosoft will normally respond to this).
This is the "other" way to find your backups and use them, and in fact if you know what a .reg file does you can use any .reg file as it is intended to be used this way-- DO NOT double-click on unknown .reg files.... Figured a "HOWTO find your HJT backups" tiplet might be nice for some folks.